Description

The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character.

Remediation

References

https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386f

https://github.com/jaw187/node-traceroute/tags

https://medium.com/%40shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3

https://snyk.io/vuln/npm:traceroute:20160311

https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpy

https://www.npmjs.com/advisories/1465

https://www.npmjs.com/package/traceroute

https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/

Related Vulnerabilities

CVE-2022-25901 Vulnerability in maven package org.webjars.npm:cookiejar

CVE-2020-5219 Vulnerability in maven package org.webjars.npm:angular-expressions

CVE-2023-32235 Vulnerability in npm package ghost

CVE-2020-28487 Vulnerability in npm package vis-timeline

CVE-2022-23496 Vulnerability in maven package nl.basjes.parse.useragent:yauaa-hive

Severity

Critical

Classification

CWE-74 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Exploit Product